[Bug 2035180] Re: [SRU] Backport Fix barbican client with application credentials/trusts to Ussuri/Victoria
Mauricio Faria de Oliveira
2035180 at bugs.launchpad.net
Mon Oct 16 13:52:31 UTC 2023
(originally in https://pastebin.ubuntu.com/p/458fsc9ffz/ )
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack$ openstack project list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 424d928b34b640e0a36a8a2e3fdc6f09 | demo |
| 507dbc22af73459b853e3766c35c8b64 | admin |
| cab27753566d42029be264f36ba2b8e4 | admin |
| d212590292cf4a60b445c6d6343ccfbc | services |
| ec0fb8a582714d54aaa71fef843e1dea | alt_demo |
| fe131c6831fc477ea15e27d46c28fe2f | services |
+----------------------------------+----------+
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack$ openstack domain list
+----------------------------------+----------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------+---------+--------------------+
| 201b2ebc79db4c73bf5e72b548327830 | service_domain | True | Created by Juju |
| 9a9ba9e3fb704f24a45098c605f6b4fb | admin_domain | True | Created by Juju |
| default | Default | True | The default domain |
+----------------------------------+----------------+---------+--------------------+
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack$ openstack user create --domain admin_domain --project 424d928b34b640e0a36a8a2e3fdc6f09 --password test test-user
buntu at dnegreira-bastion:~/stsstack-bundles/openstack$ openstack role add --domain admin_domain --user test-user Admin
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack$ openstack role add --project 424d928b34b640e0a36a8a2e3fdc6f09 --user test-user Admin
# Take note of the application credentials as thesee will be useful when testing the issue.
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack$ openstack application credential create test-user-cred
+--------------+----------------------------------------------------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------------------------------------------------+
| description | None |
| expires_at | None |
| id | 33869eace8b34bf7b083a59677248fc6 |
| name | test-user-cred |
| project_id | 507dbc22af73459b853e3766c35c8b64 |
| roles | reader Admin member load-balancer_admin |
| secret | 5qu2WuvwysIxZi2XKKJvgs2hA_Gx2NMx9lr-LNVmgWbMmkRSjYxFAQtN8zoW5I23palGW7cdeYDLB0mLDNVJyw |
| system | None |
| unrestricted | False |
| user_id | 1053c1da7d6b4be7b122e94a6a8ba3ea |
+--------------+----------------------------------------------------------------------------------------+
### Create certificate store, can be whatever cert you have at hand, I had a couple of old ones on ~/stsstack-bundles/openstack/ssl/ and used those
# not important that they have valid FQDN or not since its not relevant for what we are testing here:
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack/ssl/openstack-test/results$ openstack secret store --payload-content-type='text/plain' --name='test-certificate' --payload="$(cat servercert.pem)"
+---------------+-------------------------------------------------------------------+
| Field | Value |
+---------------+-------------------------------------------------------------------+
| Secret href | https://None:9312/v1/secrets/d3e5d578-878e-4ea1-8de7-b102840b9a59 |
| Name | test-certificate |
| Created | None |
| Status | None |
| Content types | {'default': 'text/plain'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-------------------------------------------------------------------+
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack/ssl/openstack-test/results$ openstack secret store --payload-content-type='text/plain' --name='test-certificatkey' --payload="$(cat serverkey.pem)"
+---------------+-------------------------------------------------------------------+
| Field | Value |
+---------------+-------------------------------------------------------------------+
| Secret href | https://None:9312/v1/secrets/11b4ff5d-2849-4c87-9679-000b18639eec |
| Name | test-certificatkey |
| Created | None | | Status | None |
| Content types | {'default': 'text/plain'} | | Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-------------------------------------------------------------------+
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack/ssl/openstack-test/results$ openstack secret container create --name='certificate_test_and_key' --type="certificate" --secret='certificate=https://None:9
312/v1/secrets/d3e5d578-878e-4ea1-8de7-b102840b9a59' --secret='private_key=https://None:9312/v1/secrets/11b4ff5d-2849-4c87-9679-000b18639eec'
+----------------+----------------------------------------------------------------------+
| Field | Value |
+----------------+----------------------------------------------------------------------+
| Container href | https://None:9312/v1/containers/416543ba-ecd3-4ad1-8174-8899f58e92c1 |
| Name | certificate_test_and_key |
| Created | None |
### Create load balancer and listener which will fail:
openstack loadbalancer create --name testlb --vip-network-id lb-mgmt-net
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack$ openstack loadbalancer create --name testlb --vip-network-id lb-mgmt-net
+---------------------+-----------------------------------------+
| Field | Value |
+---------------------+-----------------------------------------+
| admin_state_up | True |
| availability_zone | None |
| created_at | 2023-08-26T13:27:09 |
| description | |
| flavor_id | None |
| id | 2f6ddd95-744d-4117-a0e8-327dd4ec620c |
| listeners | |
| name | testlb |
| operating_status | OFFLINE |
| pools | |
| project_id | 507dbc22af73459b853e3766c35c8b64 |
| provider | amphora |
| provisioning_status | PENDING_CREATE |
| updated_at | None |
| vip_address | fc00:c9e5:8c21:7663:f816:3eff:fee9:d343 |
| vip_network_id | a2790789-2731-42e2-b9d7-c9e58c217663 |
| vip_port_id | 19dd28a2-46ac-43a6-9cf6-dfc5f4805750 |
| vip_qos_policy_id | None |
| vip_subnet_id | 3a999eef-d778-41e5-9365-7be090f05b8d |
+---------------------+-----------------------------------------+
# should wait till its active
ubuntu at dnegreira-bastion:~/stsstack-bundles/openstack$ openstack loadbalancer list
+--------------------------------------+--------+----------------------------------+-----------------------------------------+---------------------+----------+
| id | name | project_id | vip_address | provisioning_status | provider |
+--------------------------------------+--------+----------------------------------+-----------------------------------------+---------------------+----------+
| 2f6ddd95-744d-4117-a0e8-327dd4ec620c | testlb | 507dbc22af73459b853e3766c35c8b64 | fc00:c9e5:8c21:7663:f816:3eff:fee9:d343 | ACTIVE | amphora |
+--------------------------------------+--------+----------------------------------+-----------------------------------------+---------------------+----------+
# Do a $ source novarc on ~/stsstack-bundles/openstack to set the OS_*
variables to the current deployment, leave the ones set as per below and
make sure to `unset OS_<OTHER_VARIABLES>` else you wont be able to issue
openstack commands (of course adapt to your own credentials/IPs):
ubuntu at dnegreira-bastion:~/appcredentials$ env | grep OS_
OS_AUTH_URL=https://10.5.0.157:5000/v3
OS_APPLICATION_CREDENTIAL_SECRET=5qu2WuvwysIxZi2XKKJvgs2hA_Gx2NMx9lr-LNVmgWbMmkRSjYxFAQtN8zoW5I23palGW7cdeYDLB0mLDNVJyw
OS_APPLICATION_CREDENTIAL_ID=33869eace8b34bf7b083a59677248fc6
OS_AUTH_TYPE=v3applicationcredential
# After this is done you can try to create the listener which will introduce the error in this ticket:
openstack loadbalancer listener create --name https-test --protocol TERMINATED_HTTPS --protocol-port 443 --default-tls-container-ref="https://None:9312/v1/container
s/416543ba-ecd3-4ad1-8174-8899f58e92c1" 2f6ddd95-744d-4117-a0e8-327dd4ec620c
Could not retrieve certificate: ['https://None:9312/v1/containers/416543ba-ecd3-4ad1-8174-8899f58e92c1'] (HTTP 400) (Request-ID: req-a505a595-4eee-4e95-b721-cb3b4e9fe5eb)
** Description changed:
[Impact]
* Users cannot add an HTTPS endpoint with octavia/barbican when using
application credentials as it returns http error 500 when trying to do
so.
[Test Case]
- * Full details of commands here [1], summary below.
+ * Full details of commands in comment #10, summary below.
* Add a user in a project
* Add the admin role to the user in the project
* Create application credentials
* Create a barbican certificate store
* Create octavia loadbalancer and listener with the application credentials
[Where problems could occur]
* Users might not be able to create load balancers or attach a listener
to a load balancer.
[Other Info]
- * Original story: https://storyboard.openstack.org/#!/story/2007619
+ * Original story: https://storyboard.openstack.org/#!/story/2007619
* Upstream fix and backports: https://review.opendev.org/q/Id77ce36f59b71d309f153e5c1d44059f162ee440
* Current upstream fix for octavia/Ussuri: https://review.opendev.org/c/openstack/octavia/+/894548
* Current upstream fix for octavia/Victoria:https://review.opendev.org/c/openstack/octavia/+/894547
* Currently waiting on upstream merges to proceed with SRU.
-
- [1] https://pastebin.ubuntu.com/p/458fsc9ffz/
** Description changed:
[Impact]
* Users cannot add an HTTPS endpoint with octavia/barbican when using
application credentials as it returns http error 500 when trying to do
so.
[Test Case]
* Full details of commands in comment #10, summary below.
* Add a user in a project
* Add the admin role to the user in the project
* Create application credentials
* Create a barbican certificate store
* Create octavia loadbalancer and listener with the application credentials
[Where problems could occur]
* Users might not be able to create load balancers or attach a listener
to a load balancer.
[Other Info]
* Original story: https://storyboard.openstack.org/#!/story/2007619
* Upstream fix and backports: https://review.opendev.org/q/Id77ce36f59b71d309f153e5c1d44059f162ee440
* Current upstream fix for octavia/Ussuri: https://review.opendev.org/c/openstack/octavia/+/894548
* Current upstream fix for octavia/Victoria:https://review.opendev.org/c/openstack/octavia/+/894547
- * Currently waiting on upstream merges to proceed with SRU.
** Description changed:
[Impact]
* Users cannot add an HTTPS endpoint with octavia/barbican when using
- application credentials as it returns http error 500 when trying to do
- so.
+ application credentials (it returns http error 500).
[Test Case]
* Full details of commands in comment #10, summary below.
* Add a user in a project
* Add the admin role to the user in the project
* Create application credentials
* Create a barbican certificate store
* Create octavia loadbalancer and listener with the application credentials
[Where problems could occur]
* Users might not be able to create load balancers or attach a listener
to a load balancer.
[Other Info]
* Original story: https://storyboard.openstack.org/#!/story/2007619
* Upstream fix and backports: https://review.opendev.org/q/Id77ce36f59b71d309f153e5c1d44059f162ee440
* Current upstream fix for octavia/Ussuri: https://review.opendev.org/c/openstack/octavia/+/894548
* Current upstream fix for octavia/Victoria:https://review.opendev.org/c/openstack/octavia/+/894547
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2035180
Title:
[SRU] Backport Fix barbican client with application credentials/trusts
to Ussuri/Victoria
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive ussuri series:
New
Status in Ubuntu Cloud Archive victoria series:
New
Status in octavia package in Ubuntu:
New
Status in octavia source package in Focal:
New
Bug description:
[Impact]
* Users cannot add an HTTPS endpoint with octavia/barbican when using
application credentials (it returns http error 500).
[Test Case]
* Full details of commands in comment #10, summary below.
* Add a user in a project
* Add the admin role to the user in the project
* Create application credentials
* Create a barbican certificate store
* Create octavia loadbalancer and listener with the application credentials
[Where problems could occur]
* Users might not be able to create load balancers or attach a
listener to a load balancer.
[Other Info]
* Original story: https://storyboard.openstack.org/#!/story/2007619
* Upstream fix and backports: https://review.opendev.org/q/Id77ce36f59b71d309f153e5c1d44059f162ee440
* Current upstream fix for octavia/Ussuri: https://review.opendev.org/c/openstack/octavia/+/894548
* Current upstream fix for octavia/Victoria:https://review.opendev.org/c/openstack/octavia/+/894547
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2035180/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list